How to Understand the HIPAA Privacy Rule and Clinical Research

HIPAA is the acronym for Health Insurance Portability and Accountability Act and it was implemented to provide health plans, health care providers and health care clearinghouses (i.e. covered entities) a set of defined standards for handling patient’s personal information. This makes it the doctor’s responsibility to protect his patients’ medical history, and personal information such as name, address, phone number, credit card and other private information.

People are getting smarter.

A review of the Office of Civil Rights (OCR) Compliance and Enforcement Report shows an annual increase (i.e. 3744, 6534, 6853, 7332 and 8132 respectively) in the number of complaints reported by the patients and others that see violations. Enforcement started in 2003 and you can see that the amount of violations detected in 2004 a little more than doubled over what they were in 2003. Even though the numbers did not double in 2005 and 2006, an increase in violations is obvious.

So, how do HIPAA impact clinical research?

The best way to understand the function of the HIPAA Rule is to think of it as a confidentiality agreement. Patients (known as research subjects) participating in clinical studies are protected by the Code of Federal Regulations (Parts 50 and 56) and the Declaration of Helsinki (DOH). So, let us take a look at what PHI a sponsor would have access too in the first place. Most clinical trials are randomized. This means the research subjects are assigned a unique identification number and no names are provided to the sponsor. The sponsor receives the subject’s demographics, specific medical history and laboratory data from the Clinical Investigator and stores it in a database. None of this information contains the subject’s name, address or phone number. If the information is on any of these documents at the doctor’s office, the investigator redacts all identifiers and replaces it with the unique clinical trial number assigned to the volunteer at the beginning of the clinical trial before forwarding to the clinical trial sponsor. If the sponsor needs a death certificate, the same procedure is used. The subject’s name is blacked out or obliterated on each document. The sponsor’s employees who review these documents will return records to an investigator if it has a subject’s name on it.

Data privacy protection.

Good Clinical Practice regulation ensures the sponsor implements data privacy protection and therefore only a select number of people at the sponsor’s company have access to research data. But even dated is coded with the subject’s unique ID number and the sponsor cannot match the lab results to any specific individual. Data integrity is important to the success of the clinical trial and most sponsors automatically take necessary precautions to enforce data security.

Quality Assurance and Clinical Research Associates have access to PHI

Clinical Research Subject’s PHI is confidentially disclosed to certain members of the sponsor’s team. Quality Assurance and the Clinical Research Associates are given access because they have to verify the information presented to the sponsor against what actually exists at the site in the subject’s medical records. These two groups main function is to ensure that the clinical trial is conducted in accordance with Good Clinical Practices, including the Declaration of Helsinki and the HIPAA Privacy Rule. Both groups understand the importance of confidentiality and privacy and also acts to ensure research subjects are safe and protected. Additionally, the Informed Consent Form that a research subject signs usually will state that the sponsor and the FDA might be granted access to PHI.

So, why is the number of violations related to our personal health information climbing instead of decreasing?

I suggest that covered entities are thinking too hard about the HIPAA process and how to achieve compliance. I think covered entities are over reaching and making the process more difficult than it has to be. According to the Compliance and Enforcement Report, there are four consistent PHI violations: 1) Un-permitted use and disclosure, 2) inadequate safeguards, 3) unsecured access, and 4) minimum necessary information not provided. I suggest that covered entities enlist the help of a good counselor and have them draw up the HIPAA Notice to be given to patients. I suggest that physicians train themselves and their employees on HIPAA requirements to ensure PHI’s are not violated.

HIPAA has no direct impact on clinical research because the parties involved do not meet Congress’s definition for “covered entity”. However, they are still concerned about patient’s PHI and most check to ensure the HIPAA rule is adhered..